R O M A N I A N E D U C A T I O N N E T W O R K A Practical Solution to Detect DoS/DDoS Attacks A A Practical Practical Solution Solution to to Detect Detect DoS/DDoS DoS/DDoS Attacks Attacks Subredu Manuel, Octavian Rusu, Subredu Manuel, Octavian Rusu, Vraciu Valeriu Vraciu Valeriu Iasi Branch Iasi Branch {manuel,octavian,vvraciu}@iasi.roedu.net {manuel,octavian,vvraciu}@iasi.roedu.net Conference - Iasi - June 5-6, 2003 1
Summary Types of DoS/DDoS attacks Attack solutions Practical solution zazu Flow Engine Plug-ins manager Filtering engine Reporting Engine Plug-in architecture Future Conclusions Conference - Iasi - June 5-6, 2003 2
Types of DoS/DDoS attacks Teardrop DoS This recently developed attack, exploits a shortcoming in the reassembly of IP packet fragments; Smurf DoS The adversary takes advantage of a feature in the IP specification called directed broadcast and the design of ICMP echo (ping) message to produce a very large amount of traffic; SynFlood DoS SYN flooding attacks abuse the three-way handshake protocol used by TCP to establish connection; Ping of Death Uses the ping system utility to create an IP packet whose size exceeds the maximum 65536 bytes allowed by TCP/IP. Conference - Iasi - June 5-6, 2003 3
Attack solutions Filtering Source address filtering Very dangerous specially when we have a distributed DoS with random source IP addresses; Very good performance and minimal impact for the destination when we have an attack with verified source IP address. Destination address filtering Good performance; Known destination address; Traffic shaping Poor performance and resource consumer method Conference - Iasi - June 5-6, 2003 4
Practical solution - zazu Components Flow processing engine: Flow Capture Engine; Flow Decode Engine. Plug-in manager Filtering Engine Alert and Report engine Email alerts; Database Logging; Text files Logging. Conference - Iasi - June 5-6, 2003 5
Zazu::FlowEngine FlowCapture Engine captures the flows from the network; verifies the source; basics flows checking; unpack each flow within a UDP flow datagram; FlowDecode Engine Converts each flow element to the local format (from the network format into host format); Conference - Iasi - June 5-6, 2003 6
Zazu::Plug-ins manager Load the plug-ins at start time Manage the data transfer between zazu and external plug-ins Transmits the attack information from plug-ins to filtering engine Unload the plug-ins at stop time Conference - Iasi - June 5-6, 2003 7
Zazu::Filtering engine Consults the configuration file for specific filtering directives Take the possible filtering decision based on filtering directives found in configuration file Ensure that the IP address who is going to be filtered is not in not-filter list Checks for old filters with the same characteristics Builds the command for filtering Connects to the router, and set up the filter Conference - Iasi - June 5-6, 2003 8
Zazu::ReportingEngine Gathers all the information about the attack: source IP address (hostname); destination IP address (hostname); the client to whom the filtered IP address belongs; input/output interface; time and date of the attack; type of the attack; filtering period; Builds and sends an email to network engineers and to client as well, with all the gathered data; Log the attack into SQL database; Log the attack into plain text log files; Conference - Iasi - June 5-6, 2003 9
Plug-ins architecture Modular architecture; Great flexibility; Easy to add new plug-ins; Common plug-ins API; Provide a framework to work with flows; Conference - Iasi - June 5-6, 2003 10
Available plug-ins icmpdosdetector - detects basics ICMP attacks tcpddosdetector - detects synflood distributed or direct attacks udpddosdetector - detects udpflood distributed or direct attacks; dccspy - detects connections to a well known list of Direct Connect Servers flowprint - print flows maching a given source/destination IP address into a plain text file; fileflowprint - dumps all the flows into plain text files for further analysis. Conference - Iasi - June 5-6, 2003 11
Web interface Conference - Iasi - June 5-6, 2003 12
Conclusions Zazu has: Modular architecture; Increased flexibility; SQL database support for attacks logging; Plain text files support for attack logging (fast access); Plug-ins support; Information rich Reporting Engine Conference - Iasi - June 5-6, 2003 13
Future plans To Do list: Algorithms optimizations and improvements; Scripting support for zazu::filteringengine; Support for others SQL servers; Improved web interface; More configuration parameters; Better plug-ins integration; Command line utilities for fast access to attacks database; Conference - Iasi - June 5-6, 2003 14
Questions? Conference - Iasi - June 5-6, 2003 15